b'OFFICE OF INSPECTOR GENERAL\n\nAUDIT OF THE\nINTER-AMERICAN\nFOUNDATION\xe2\x80\x99S COMPLIANCE\nWITH PROVISIONS OF THE\nFEDERAL INFORMATION\nSECURITY MANAGEMENT\nACT FOR FISCAL YEAR 2010\n\nAUDIT REPORT NO. A-IAF-10-003-P\nSEPTEMBER 22, 2010\n\n\nWASHINGTON, D.C.\n\x0cOffice of Inspector General\n\nSeptember 22, 2010\n\nMs. Linda Borst Kolko, Interim President\nInter-American Foundation\n901 North Stuart Street, 10th Floor\nArlington, VA 22203\n\nSubject:            Audit of the Inter-American Foundation\xe2\x80\x99s Compliance With Provisions of\n                    the Federal Information Security Management Act for Fiscal Year 2010\n                    (Report No. A-IAF-10-003-P)\n\nDear Ms. Kolko:\n\nThis letter transmits our final report on the subject audit. In finalizing the final report, we\nconsidered your comments on the draft report. Your comments are included in\nAppendix II.\n\nThe report includes one recommendation to help the Inter-American Foundation improve\nits information security program. Based on our evaluation of your written comments, a\nmanagement decision has been reached on the recommendation. A determination of\nfinal action must be made by the Foundation. Please notify us when final action has\nbeen completed.\n\nI want to express my sincere appreciation for the cooperation and courtesies extended\nto my staff during the audit.\n\n\n\n                                                        Sincerely,\n\n                                                           /s/\n\n                                                        Joseph Farinella\n                                                        Assistant Inspector General for Audit\n\n\n\n\nU.S. Agency for International Development\n1300 Pennsylvania Avenue, NW\nWashington, DC 20523\nwww.usaid.gov\n\x0cCONTENTS\nSummary of Results........................................................................................................1\n\nAudit Findings..................................................................................................................3\n\n          The Foundation Had Not Performed a\n          Tabletop Exercise for Contingency Planning...............................................................3\n\n          Foundation Policy on Access Control\n          Did Not Include Publicly Accessible Content ..............................................................4\n\nEvaluation of Management Comments.................................................................................5\n\nAppendix I \xe2\x80\x93 Scope and Methodology..................................................................................6\n\nAppendix II \xe2\x80\x93 Management Comments.................................................................................8\n\x0cSUMMARY OF RESULTS\nThe Federal Information Security Management Act of 2002 1 requires agencies to\ndevelop, document, and implement an agency-wide information security program to\nprotect their information and information systems, including those provided or managed\nby another agency, contractor, or other source. Because the Inter-American Foundation\n(the Foundation) is a federal agency, it is required to comply with federal information\nsecurity requirements.\n\nThe act also requires agency heads to ensure that (1) employees are sufficiently trained\nin their security responsibilities, (2) security incident response capability is established,\nand (3) information security management is integrated with the agency\xe2\x80\x99s strategic and\noperation planning processes.          All agencies must also report annually on the\neffectiveness of their information security program. In addition, the act made the\nstandards issued by the National Institute of Standards and Technology (NIST)\nmandatory for federal agencies.\n\nA key requirement of the act is an annual independent evaluation of agencies\xe2\x80\x99\ninformation security programs and practices. The U.S. Agency for International\nDevelopment\xe2\x80\x99s Office of Inspector General (OIG) conducted this audit to determine\nwhether the Foundation implemented selected security controls 2 for selected information\nsystems in support of the Federal Information Security Management Act of 2002.\n\nAt the time of the audit, the Foundation operated two information systems: (1) the\nEnterprise Network and (2) the Grant Evaluation Management System. The Enterprise\nNetwork provides the infrastructure that supports mission-critical and mission-important\napplications as well as administrative and minor applications for the Foundation. The\nGrant Evaluation Management System tracks all grant activity for the Foundation.\n\nThe audit found that the Foundation had generally implemented selected security\ncontrols for its information security program. For example, the Foundation:\n\n\xe2\x80\xa2   Integrated security training into its new employee orientation and annual refresher\n    training for employees.\n\n\xe2\x80\xa2   Documented comprehensive and up-to-date policies and procedures for responding\n    to computer incidents, intrusions, and emergencies.\n\n\xe2\x80\xa2   Established a baseline configuration management process.\n\nAlthough the Foundation had implemented many security controls over its information\nsystems, the audit identified two weaknesses in the Foundation\xe2\x80\x99s information security\nprogram.\n\n\n\n1\n  Enacted as Title III of the E-Government Act of 2002, Public Law 107-347 (2002), and codified\nat 44 U.S.C. 3541-3549 (2006).\n2\n  The table in Appendix I lists selected controls.\n                                                                                             1\n\x0cSpecifically, the audit found that:\n\n\xe2\x80\xa2   The Foundation had not performed a tabletop exercise for contingency planning as\n    required by Foundation policy. A tabletop exercise is an element of contingency\n    planning. It involves personnel meeting in a classroom or other group setting to\n    discuss their roles during an emergency and their responses to a particular\n    emergency. Tabletop exercises do not involve deploying equipment or other\n    resources (page 3).\n\n\xe2\x80\xa2   Foundation policy on access control did not include publicly accessible content as\n    recommended in NIST Special Publication 800-53, Revision 3 (page 4).\n\nAfter our exit conference, Foundation officials provided OIG staff an updated access\ncontrol policy that incorporates publicly accessible content. As a result, the report\nmakes only one recommendation to the Foundation\xe2\x80\x99s Chief Information Officer to\nconduct a tabletop exercise for contingency planning as required by the Foundation\xe2\x80\x99s\ncontinuity of operations policy (page 3).\n\nAppendix I details the audit\xe2\x80\x99s scope and methodology. Appendix II contains the\nFoundation\xe2\x80\x99s comments in their entirety. OIG has reviewed the information provided by\nthe Foundation in its response to the draft report and determined that a management\ndecision has been reached on the recommendation.\n\n\n\n\n                                                                                    2\n\x0cAUDIT FINDINGS\nThe Foundation Had Not\nPerformed a Tabletop Exercise\nfor Contingency Planning\nNational Institute of Standards and Technology (NIST) Special Publication 800-53,\nRecommended Security Controls for Federal Information Systems and Organizations,\nRevision 3, CP-4, \xe2\x80\x9cContingency Plan Testing and Exercises,\xe2\x80\x9d states that, "The\norganization tests and/or exercises the contingency plan for the information system to\ndetermine the plan\xe2\x80\x99s effectiveness and the organization\xe2\x80\x99s readiness to execute the plan.\xe2\x80\x9d\n\nThe Foundation\xe2\x80\x99s continuity of operations policy states, \xe2\x80\x9cThe Foundation shall develop\nand maintain detailed business, communications, and IT recovery plans, and the\nassociated recovery capability in the event that normal operations are disrupted. All\npersonnel involved with planning efforts shall be identified and trained in executing the\nplan and recovery capability.\xe2\x80\x9d The policy also states that the Foundation shall review\nand update the plan annually; according to the Foundation\xe2\x80\x99s information system security\nofficer (ISSO), the annual requirement includes conducting a tabletop exercise.\n\nA tabletop exercise is an element of contingency planning. It involves personnel meeting\nin a classroom or other group setting to discuss their roles during an emergency and\ntheir responses to a particular emergency. Tabletop exercises do not involve deploying\nequipment or other resources.\n\nHowever, contrary to the Foundation\xe2\x80\x99s continuity of operations policy, the Foundation did\nnot conduct a tabletop exercise as a part of its annual contingency planning to ensure\nthat key Foundation personnel understood and discussed their roles in executing the\nrecovery plan for an emergency.\n\nThe Foundation\xe2\x80\x99s ISSO stated that the tabletop exercise was not conducted because the\nfocus for contingency planning was on testing the systems and conducting phone tree\nexercises.\n\nBy not conducting tabletop exercises, the Foundation runs the risk of not being able to\nrecover as quickly and effectively as possible following an emergency. To reduce that\nrisk, this audit makes the following recommendation.\n\n       Recommendation.           We recommend that the Inter-American\n       Foundation\xe2\x80\x99s Chief Information Officer schedule and conduct a tabletop\n       exercise with key personnel in support of the Inter-American Foundation\xe2\x80\x99s\n       continuity of operations policy.\n\n\n\n\n                                                                                       3\n\x0cFoundation Policy on Access\nControl Did Not Include Publicly\nAccessible Content\nNIST Special Publication 800-53, Revision 3, AC-22, \xe2\x80\x9cPublicly Accessible Content,\xe2\x80\x9d\nstates that: \xe2\x80\x9cThe organization (a) designates individuals authorized to post information\nonto an organizational information system that is publicly accessible; and (b) trains\nauthorized individuals to ensure that publicly accessible information does not contain\nnonpublic information.\xe2\x80\x9d\n\nThe Foundation\xe2\x80\x99s information security manual does not fully incorporate all relevant\ncontrols identified by NIST Special Publication 800-53. Specifically, access control\npolicy and procedures for publicly accessible content are missing from the Foundation\xe2\x80\x99s\nmanual.\n\nAlthough the Foundation has a process for authorizing and training individuals\nresponsible for Web posting of publicly accessible content, the Foundation has not\ndocumented this process in its information security manual. By not documenting\nauthorization and training processes in its access control policy, the Foundation runs the\nrisk that personally identifiable information may inadvertently be released to the public.\n\nThe ISSO stated that the control was not incorporated into the access control policy\nbecause of an oversight. After our exit conference, the Foundation\xe2\x80\x99s ISSO submitted to\nOIG an updated access control policy that incorporates publicly accessible content as\nrequired by NIST Special Publication 800-53. As a result, we are not making a\nrecommendation that addresses the publicly accessible content requirement.\n\n\n\n\n                                                                                        4\n\x0cEVALUATION OF\nMANAGEMENT COMMENTS\nIn response to the draft report, the Inter-American Foundation (the Foundation)\nagreed with the audit finding and the recommendation. The Foundation indicated\nthat it is working with contract information technology security specialists from the\nBureau of the Public Debt to plan and implement a tabletop exercise with key\nFoundation personnel no later than March 31, 2011. The Foundation\xe2\x80\x99s comments\nare included in their entirety in Appendix II.\n\nThe Office of Inspector General has reviewed the Foundation\xe2\x80\x99s response and\ndetermined that a management decision has been reached on the recommendation.\n\n\n\n\n                                                                                5\n\x0c                                                                                     Appendix I\n\n\n\nSCOPE AND METHODOLOGY\nScope\nThis audit was designed and performed by USAID\xe2\x80\x99s Office of Inspector General (OIG),\nInformation Technology Division to answer the following question: Did the Inter-\nAmerican Foundation implement selected security controls for selected information\nsystems in support of the Federal Information Security Management Act of 2002?\n\nThe audit was conducted at the Foundation\xe2\x80\x99s headquarters in Arlington, Virginia, from\nMay 10 through July 16, 2010. We conducted this performance audit in accordance with\ngenerally accepted government auditing standards. Those standards require that we\nplan and perform the audit to obtain sufficient appropriate evidence to provide a\nreasonable basis for our findings and conclusions in accordance with our audit objective.\nWe believe that the evidence obtained provides that reasonable basis.\n\nAt the time of the audit, the Foundation had two information systems: (1) the Enterprise\nNetwork and (2) the Grant Evaluation Management System. The Department of the\nTreasury\xe2\x80\x99s Bureau of Public Debt\xe2\x80\x99s Information Technology Group provides network\nadministration and information systems security for both systems. The Foundation also\nused two systems operated by outside entities\xe2\x80\x94a payroll system operated by the\nDepartment of Interior\xe2\x80\x99s National Business Center and a financial management system\noperated by the Department of Treasury\xe2\x80\x99s Bureau of Public Debt. This audit assessed\nselected controls on the two systems operated by the Foundation.\n\nMethodology\nOIG staff conducted interviews with key personnel and obtained and reviewed control\npolicies, procedures, and system documentation. We gained an understanding of\nsystem operations and identified significant computer operations through discussions\nwith Foundation officials including the information system security officer.\n\nFollowing the framework for minimum security controls in National Institute of Standards\nand Technology (NIST) Special Publication 800-53, Revision 3, dated August 2009, 3 we\nselected certain controls (shown in the table on the next page) from NIST security\ncontrol families 4 and reviewed the selected controls over the Foundation\xe2\x80\x99s Enterprise\nNetwork and the Grant Evaluation Management System.\n\n\n\n\n3\n  NIST publications take effect 1 year from their publication date. For this audit, we followed\nRevision 3 of NIST 800-53, which took effect before this report\xe2\x80\x99s publication.\n4\n  Security controls are organized into families according to their security function\xe2\x80\x94for example,\naccess controls.\n\n\n\n                                                                                           6\n\x0c                                                                         Appendix I\n\n\n\n\n                           Selected Security Controls\n\nNIST Control Family                           Control Name\nAC-1                  Access Control Policy and Procedures\nAC-2                  Account Management\nAC-7                  Unsuccessful Logon Attempts\nAC-22                 Publicly Accessible Content\nAT-1                  Security Awareness and Training Policy and Procedures\nAT-2                  Security Awareness\nAT-4                  Security Training Records\nCA-1                  Security Assessment and Authorization Policies and\n                      Procedures\nCA-5                  Plan of Action and Milestones\nCA-6                  Security Authorization\nCM-1                  Configuration Management Policy and Procedures\nCM-2                  Baseline Configuration\nCA-6                  Security Authorization\nCP-1                  Contingency Planning Policy and Procedures\nCP-2                  Contingency Plan\nCP-4                  Contingency Plan Testing and Exercises\nIR-1                  Risk Assessment Policy and Procedures\nIR-2                  Incident Response Training\nIR-4                  Incident Handling\nIR-6                  Incident Reporting\nPE-1                  Physical and Environmental Protection Policy and Procedures\nPE-2                  Physical Access Authorizations\nPE-3                  Physical Access Control\nPM-2                  Senior Information Security Officer\nPM-4                  Plan of Action and Milestones Process\nRA-1                  Risk Assessment Policy and Procedures\nRA-2                  Security Categorization\nRA-3                  Risk Assessment\n\n\n\n\n                                                                                    7\n\x0c                                                                                     Appendix II\n\n\n\nMANAGEMENT COMMENTS\n           Inter-American Foundation\n                                                     An Independent Agency of the U.S. Government\n\n\n\n\nSeptember 17, 2010\n\n\nJoseph Farinella\nAssistant Inspector General for Audit\nU.S. Agency for International Development\n1300 Pennsylvania Avenue, N.W.\nWashington, DC 20523\n\nSubject:       Comments on Audit Report of IAF Compliance with Provisions of the\n               Federal Information Security Management Act (FISMA) for Fiscal Year\n               2010\n\nDear Mr. Farinella:\n\nThank you very much for sharing the draft report prepared by the USAID Office of the\nInspector General on the FY 2010 annual audit of the Inter-American Foundation\xe2\x80\x99s (IAF)\ninformation security program. The IAF has reviewed the report and concurs with the\naccuracy of your assessment that IAF generally implemented selected security controls in\ncompliance with FISMA requirements.\n\nWe also are in agreement with the recommendation cited in the audit report for IAF to\nconduct a tabletop exercise as one of the annual planning and testing elements our\ncontinuity of operations policy. While the IAF successfully conducted systems tests and\nphone tree exercises with employees during FY 2010, we did not include a tabletop\nexercise with staff to review roles and responsibilities for executing our recovery plan for\nan emergency event. We are working with contract IT security specialists from the\nBureau of the Public Debt to plan and implement such a tabletop exercise with key IAF\npersonnel no later than March 31, 2011, in keeping with the agency\xe2\x80\x99s continuity of\noperations policy.\n\nOnce again, I would like to take this opportunity to recognize the high level of\nprofessionalism of the USAID OIG audit team that conducted the FY 2010 audit of IAF\xe2\x80\x99s\nsecurity posture. The auditor who performed the site review demonstrated an impressive\nknowledge of IT security and related federal guidelines, and was thoroughly briefed by\nthe OIG team on the state of IAF\xe2\x80\x99s security, all of which contributed to the efficiency of\nthe audit process. The auditor scheduled informational interviews with a cross-section of\n\n\n                                                                                             8\n\x0cstaff without disruption to productivity and offered many helpful suggestions to further\nstrengthen our IT security program. We value the advice and work of your office, and\nlook forward to our continued collaboration.\n\nSincerely,\n\n   /s/\n\nLinda B. Kolko\nInterim President\n\n\n\n\n901 N. Stuart Street \xe2\x80\xa2 Arlington, VA 22203 \xe2\x80\xa2 Phone: 703-306-4301 \xe2\x80\xa2 Fax: 703-306-4369\n\n\n                                                                                           9\n\x0cU.S. Agency for International Development\n        Office of Inspector General\n      1300 Pennsylvania Avenue, NW\n          Washington, DC 20523\n             Tel: 202-712-1150\n             Fax: 202-216-3047\n            www.usaid.gov/oig\n\x0c'